diff options
author | Jakub Jirutka <jakub@jirutka.cz> | 2016-11-26 01:42:42 +0100 |
---|---|---|
committer | Jakub Jirutka <jakub@jirutka.cz> | 2016-11-26 02:23:22 +0100 |
commit | 1fc05d8d4246c31c785f0f4b8476a6cdc0724267 (patch) | |
tree | 0c693d649bf15de9b611525d50f6baa81fa10633 | |
parent | de45c93dd48decf6e9cfe483c845be35bdf6c38a (diff) |
main/nodejs-lts: use system-provided CA certificates
-rw-r--r-- | main/nodejs-lts/APKBUILD | 24 | ||||
-rw-r--r-- | main/nodejs-lts/use-system-ca-certs.patch | 75 |
2 files changed, 93 insertions, 6 deletions
diff --git a/main/nodejs-lts/APKBUILD b/main/nodejs-lts/APKBUILD index 56c9faefb5d..c9214cdf004 100644 --- a/main/nodejs-lts/APKBUILD +++ b/main/nodejs-lts/APKBUILD @@ -1,21 +1,30 @@ # Contributor: William Pitcock <nenolod@dereferenced.org> # Contributor: Jose-Luis Rivas <ghostbar@riseup.net> +# Contributor: Jakub Jirutka <jakub@jirutka.cz> # Maintainer: Eivind Uggedal <eivind@uggedal.com> pkgname=nodejs-lts pkgver=6.9.1 -pkgrel=0 +pkgrel=1 pkgdesc="JavaScript runtime built on V8 engine - LTS version" url="http://nodejs.org/" arch="all" license="MIT" # gold is needed for mksnapshot makedepends="python2 openssl-dev zlib-dev libuv-dev linux-headers paxmark - binutils-gold http-parser-dev" + binutils-gold http-parser-dev ca-certificates" subpackages="$pkgname-dev $pkgname-doc" replaces="nodejs" -source="https://nodejs.org/dist/v$pkgver/node-v$pkgver.tar.gz" +source="https://nodejs.org/dist/v$pkgver/node-v$pkgver.tar.gz + use-system-ca-certs.patch" builddir="$srcdir/node-v$pkgver" +prepare() { + default_prepare || return 1 + + # Remove bundled CA certificates. + rm -f src/node_root_certs.h +} + build() { cd "$builddir" @@ -45,6 +54,9 @@ package() { done } -md5sums="0d3117846c6704b36108fcdbf30e03c1 node-v6.9.1.tar.gz" -sha256sums="a98997ca3a4d10751f0ebe97839b2308a31ae884b4203cda0c99cf36bc7fe3bf node-v6.9.1.tar.gz" -sha512sums="71a6e081006c8b77f34b5cc26b76c56944b4de77d7ed5e6068c72dbaf49fc18ed2894231f6a5cd0308c40e95c2e1eb5ee2abd1470fd646bb8db3b230913c5014 node-v6.9.1.tar.gz" +md5sums="0d3117846c6704b36108fcdbf30e03c1 node-v6.9.1.tar.gz +14ce8e0fb44d5bf75974026900e0d8c2 use-system-ca-certs.patch" +sha256sums="a98997ca3a4d10751f0ebe97839b2308a31ae884b4203cda0c99cf36bc7fe3bf node-v6.9.1.tar.gz +fcd2becd2cb9a62537ae11f51f448fd1061aaae17835bb0f2d2aa71bdf9652c0 use-system-ca-certs.patch" +sha512sums="71a6e081006c8b77f34b5cc26b76c56944b4de77d7ed5e6068c72dbaf49fc18ed2894231f6a5cd0308c40e95c2e1eb5ee2abd1470fd646bb8db3b230913c5014 node-v6.9.1.tar.gz +c540878495761f4c38f3cccd61da75fa5619637ba9887b7946964a7cef790178e26678fe0aabe400e32c8f0f65e97a519ceee1534bbf18a1a14bc6e9fe067637 use-system-ca-certs.patch" diff --git a/main/nodejs-lts/use-system-ca-certs.patch b/main/nodejs-lts/use-system-ca-certs.patch new file mode 100644 index 00000000000..014b1cedf12 --- /dev/null +++ b/main/nodejs-lts/use-system-ca-certs.patch @@ -0,0 +1,75 @@ +From: Jakub Jirutka <jakub@jirutka.cz> +Date: Sat, 26 Nov 2016 01:32:00 +0200 +Subject: Use system-provided CA certificates instead of bundled ones + +Forwarded: need some feedback before submitting the matter upstream +Author: Jérémy Lal <kapouer@melix.org> +Last-Update: 2014-03-02 + +Modified 2014-05-02 by T.C. Hollingsworth <tchollingsworth@gmail.com> with the +correct path for Fedora + +Modified 2015-12-01 by Stephen Gallagher <sgallagh@redhat.com> to update for +Node.js 4.2 + +Modified 2016-03-04 by Stephen Gallagher <sgallagh@redhat.com> to update for +Node.js 5.4.1 + +Modified 2016-07-26 by Haikel Guemar <hguemar@fedoraproject.org> to update for +Node.js 4.4.7 + +Modified 2016-11-26 by Jakub Jirutka <jakub@jirutka.cz> for Alpine Linux + +--- a/src/node_crypto.cc ++++ b/src/node_crypto.cc +@@ -192,8 +192,8 @@ static X509_NAME *cnnic_ev_name = + + static Mutex* mutexes; + +-const char* const root_certs[] = { +-#include "node_root_certs.h" // NOLINT(build/include_order) ++const char* root_certs[] = { ++ NULL + }; + + X509_STORE* root_cert_store; +@@ -847,29 +847,17 @@ void SecureContext::AddRootCerts(const FunctionCallbackInfo<Value>& args) { + CHECK_EQ(sc->ca_store_, nullptr); + + if (!root_cert_store) { +- root_cert_store = X509_STORE_new(); +- +- for (size_t i = 0; i < arraysize(root_certs); i++) { +- BIO* bp = NodeBIO::NewFixed(root_certs[i], strlen(root_certs[i])); +- if (bp == nullptr) { +- return; +- } +- +- X509 *x509 = PEM_read_bio_X509(bp, nullptr, CryptoPemCallback, nullptr); +- if (x509 == nullptr) { +- BIO_free_all(bp); +- return; +- } +- +- X509_STORE_add_cert(root_cert_store, x509); +- +- BIO_free_all(bp); +- X509_free(x509); ++ if (SSL_CTX_load_verify_locations(sc->ctx_, "/etc/ssl/certs/ca-certificates.crt", NULL) == 1) { ++ root_cert_store = SSL_CTX_get_cert_store(sc->ctx_); ++ } else { ++ // empty store ++ root_cert_store = X509_STORE_new(); + } ++ } else { ++ SSL_CTX_set_cert_store(sc->ctx_, root_cert_store); + } + + sc->ca_store_ = root_cert_store; +- SSL_CTX_set_cert_store(sc->ctx_, sc->ca_store_); + } + + +-- +2.9.0 + |